Privacy policy

Privacy Policy

Beer of Satoshi GmbH (“Beer of Satoshi”, “we”, “us”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you interact with our online store. It is designed to comply with the EU General Data Protection Regulation (GDPR) and relevant German data protection laws.

Data Controller and Contact Information

Data Controller: Beer of Satoshi GmbH
Address: Im Mediapark 5, 50670 Cologne, Germany.

Beer of Satoshi GmbH is the entity responsible for the processing of your personal data in connection with the online shop. If you have any questions or requests regarding your personal data, you can contact us at the above address (or via the contact options provided on our website).

Scope of this Privacy Policy

This Privacy Policy applies to all personal data collected through your interactions with our online store and website. It covers, in particular:

  • Website and Online Store: All pages and features on our shop website, including browsing products and placing orders.

  • Customer Accounts: Data collected when you register for an account and manage your profile.

  • Checkout & Payments: Information processed during the checkout process and when handling payments.

  • Cookies & Similar Technologies: Our use of cookies, localStorage, and similar technologies for site functionality and preferences.

  • Analytics & Marketing: Use of analytics tools and marketing trackers (only after you give consent).

  • Embedded Media: Embedded third-party content such as product videos (e.g. Vimeo players on our site).

  • Social Media Integrations: Integration of social media features or links (Instagram, X (Twitter), LinkedIn, TikTok, Nostr) on our site. If you interact with these, your data may be processed as explained below.

  • Age Verification Mechanism: Our site requires age verification (18+ only) to comply with youth protection laws. We process a simple age check (e.g. asking you to confirm you are over 18) before granting access.

Legal Bases for Data Processing

We only process personal data when we have a valid legal basis under GDPR. Depending on the purpose, one or more of the following legal grounds apply:

  • Performance of a Contract (GDPR Art. 6(1)(b)): We process data that is necessary to enter into or fulfill our contract with you – for example, to handle your orders, payments, and deliveries. This covers all processing required to provide the services you request (purchase contracts, account management, customer service, etc.).

  • Legitimate Interests (GDPR Art. 6(1)(f)): We process certain data to pursue our legitimate business interests, only where your rights and freedoms do not override these interests. Examples include ensuring the security of our website and preventing fraud, remembering non-essential preferences (like cookie settings), or age-gating the site to prevent underage access. In all such cases, we have carefully balanced our interests against your privacy rights.

  • Consent (GDPR Art. 6(1)(a)): For any non-essential data processing, especially analytics and marketing, we will ask for your explicit consent. For instance, we will only activate analytics cookies or send you marketing communications if you have agreed to it. You have the right to withdraw consent at any time (see Your Rights below).

  • Legal Obligation (GDPR Art. 6(1)(c)): In some cases, we must process and retain certain data to comply with legal obligations. For example, German tax law requires us to keep invoice records for 10 years. Similarly, age verification is done to comply with youth protection laws. When we process data for compliance with a legal obligation, this is done under Art. 6(1)(c).

Purposes of Data Processing

We collect and use personal data for the following purposes in connection with our online shop:

  • Order Fulfillment and Delivery: To process your orders, we use your contact and order details to confirm purchases, provide order updates, and deliver products to you. This includes sharing necessary information with delivery services. Processing for these purposes is necessary to perform our sales contract with you.

  • Payment Processing: To accept payments and verify transactions. Depending on the payment method you choose, we will process data required by our payment providers (e.g. transmitting the transaction amount and an identifier to Shopify Payments, PayPal, or OpenNode). For example, when you pay, our system may record your payment method, transaction ID, and related details to confirm and complete the payment. This is also part of fulfilling the purchase contract.

  • Preference Management and Age Verification: To remember your choices and comply with restrictions. We use cookies or local storage to save your cookie consent preferences and to store an “age-verification” flag confirming you are 18 or older (so you aren’t asked on every visit). Processing these items is in our legitimate interest to provide a user-friendly experience (e.g. not showing the age gate repeatedly) and to comply with legal age restrictions.

  • Security and Fraud Prevention (Server Logs): To protect our website and users, our servers automatically log certain data when you visit (such as IP address, access time, URL visited, browser info). We use these logs to monitor for malicious activities (e.g. repeated failed logins, DDoS attacks) and to diagnose technical issues. This processing is based on our legitimate interest in ensuring the security and stability of our servicesr. Server log data is only accessed by authorized personnel and is deleted or anonymized after a short period (see Data Retention below).

  • Analytics and Marketing (with Consent): To improve our website and reach customers, we may use analytics tools (e.g. website traffic analysis) or marketing services (e.g. tracking for ad performance). These tools (such as Google Analytics or similar) will only be activated if you have given consent via our cookie banner or preferences center. If you consent, these services collect usage data (e.g. pages viewed, clicks, and for marketing, possibly device identifiers) to help us understand how the site is used and to tailor advertising. You can opt out at any time by withdrawing your consent (see Cookies and Your Rights sections for details).

Categories of Personal Data Collected

We collect and process various categories of personal data about you, depending on your interactions with our site:

  • Contact and Identity Information: When you place an order or create an account, we collect information such as your name, billing and shipping address, email address, and phone number. This is used to fulfill orders, communicate with you, and maintain your account.

  • Order and Payment Details: Information related to your orders and payments, such as the products you ordered, order numbers, payment method, and payment transaction references. For example, if you pay by credit card or Shopify Payments, we record a payment confirmation (but not your full card number); if you use PayPal, we store the PayPal transaction ID; if you pay via Bitcoin/Lightning (OpenNode), we store the invoice ID or hash and payment status. We do not see or store your full payment credentials (those are handled securely by the payment providers).

  • Technical Usage Data: When you use our website, our system collects technical data automatically. This includes your IP address, device and browser type, operating system, the pages you visit, time and date of access, and referring website. In server logs, IP addresses are typically stored in an anonymized or truncated form for security monitoring. We also capture user agent strings and timestamps for each request. This technical information helps us ensure the site works properly and to investigate issues or security incidents.

  • Cookies and Preference Data: We store data about your preferences to enhance your experience. This includes cookie identifiers and settings (e.g. whether you consented to analytics cookies or what items are in your cart) and localStorage flags for features like the age verification gate. For instance, when you confirm you are 18+, a localStorage value may be set in your browser to remember this so you don’t see the age check again. We also note your cookie consent choices (opt-in or opt-out) to respect them on future visits.

Recipients of Personal Data and Third-Party Services

In the course of running our online store, we share personal data with third parties who assist us in providing our services. We ensure that each such recipient only receives the data necessary for their function, and we have appropriate agreements in place to protect your information. Key recipients and processors include:

  • Shopify (Hosting & Platform Provider): Our store is built on and hosted by Shopify. Shopify International Ltd. (based in Ireland) provides the e-commerce platform and infrastructure we use. This means personal data you enter on our website (account info, orders, payments) is stored on Shopify’s servers. Shopify may process data in other locations (e.g. Shopify Inc in Canada, or Shopify’s sub-processors in the USA) for backup, support, and technical operations. Transfers of personal data to Shopify’s Canadian entity are covered by the EU Commission’s adequacy decision for Canada, and any transfers to the USA or other countries are safeguarded by Standard Contractual Clauses or equivalent GDPR-compliant measures. (See also International Data Transfers below.)

  • Payment Service Providers: We use third-party payment processors to handle payments securely. Depending on your chosen payment method, your payment information will be forwarded to one of the following:

    • Shopify Payments (Credit/Debit Cards): If you pay by card, the payment is processed via Shopify Payments, which is facilitated by Stripe. Your card details are handled by Stripe/Shopify Payments, and we receive a confirmation or token – not the raw card number.

    • PayPal: If you choose PayPal, you will be redirected to PayPal to complete payment. We transmit to PayPal the necessary order and billing information (e.g. order total, your name and shipping address for verification). PayPal then provides us with a payment confirmation ID or transaction number. (PayPal (Europe) S.à r.l. et Cie, S.C.A. is based in Luxembourg and thus within the EU for data protection.)

    • OpenNode (Bitcoin/Lightning Payments): If you opt to pay with Bitcoin via the Lightning Network, we use OpenNode Inc.’s payment gateway. You will be directed to an OpenNode interface to either pay an on-chain Bitcoin address or a Lightning invoice. OpenNode may process transaction data (amount, timestamp, and an invoice or transaction hash) to confirm the payment. We receive notification from OpenNode when your payment is completed. OpenNode is a U.S.-based service; any transfer of personal data (to the extent such data is involved in a crypto payment, e.g. IP address or transaction metadata) is protected by appropriate safeguards like Standard Contractual Clauses. Notably, OpenNode’s system is designed to minimize personal data, but transaction identifiers could be considered personal data if linked to an individual.

  • Shipping and Delivery Companies: When you place an order for physical goods, we share your necessary contact details with the courier/shipping company to deliver your package. This typically includes your name, delivery address, and in some cases phone number or email (for shipment notifications). Our primary shipping partners are DHL, DPD, FedEx and UPS. We only transmit the data required for shipping the order, and do so under the legal basis of contract performance (getting your order to you). These carriers are independent data controllers for the delivery process, and may contact you with tracking updates.

  • Analytics and Marketing Partners: If you have given consent for analytics or marketing cookies, we may use third-party services to analyze usage or display ads. For example, we might use Google Analytics to understand website traffic, or other marketing tools. Such tools will receive certain online identifiers and usage data from your browser when they are activated (never before consent). All such data sharing is based on your consent (GDPR Art. 6(1)(a)), and you can opt out at any time. (Currently, we do not use invasive marketing profiling, but if we do in future, this policy will be updated and appropriate consent obtained.)

  • Embedded Video (Vimeo, YouTube): We sometimes embed product or promotional videos hosted on Vimeo on our website. When you play an embedded Vimeo or YouTube video, Vimeo/YouTube may process your data such as your IP address, device info, and interactions with the video player. Vimeo, LLC is based in the USA, so any data transmitted by your browser when playing the video (e.g. to stream the content) goes to the US. We ensure that Vimeo embeds on our site are in “do-not-track” mode if available, and we only embed videos in a way that complies with GDPR (for instance, we will seek your consent if the Vimeo player attempts to set non-essential cookies or tracking via a consent banner). Vimeo may set its own cookies or similar technologies when you press play; these are governed by Vimeo’s Privacy Policy. If you prefer not to have Vimeo collect your data, do not play the videos.

  • Social Media Platforms: Our site may include features that link to our social media pages or allow you to share content (e.g. Instagram feed display, “Tweet” or “Share” buttons for Instagram, X (Twitter), LinkedIn, TikTok, Nostr. We do not directly transmit your personal data to these platforms; however, if you click such links or have these plugins enabled, the relevant social network may know that you visited our site and might receive technical data from your browser (similar to any website you visit). For example, if we embed an Instagram post, Instagram/Facebook (Meta Platforms) will receive your IP address and see that your browser loaded that content. These social media platforms operate as independent controllers of that data — please refer to their privacy policies. We advise you to log out of any social networks while browsing if you want to limit tracking via social plugins. We only include such integrations in compliance with applicable privacy requirements (e.g. using sharer links or the official embed code provided by those services).

International Data Transfers: Whenever we transfer or allow access to your personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place to protect it in accordance with GDPR Chapter V. Some of our service providers are based outside the EEA (for example, Shopify’s parent company in Canada or servers in the U.S., OpenNode in the U.S., Vimeo in the U.S.). In such cases, we rely on mechanisms like: EU Commission adequacy decisions (for Canada) or Standard Contractual Clauses (SCCs) and supplemental measures for other countries. These contractual obligations ensure the recipients protect your data to EU standards. You can contact us if you have questions about our international data transfer safeguards or wish to obtain a copy of them.

Cookie Usage and Similar Technologies

Our website uses cookies and similar technologies to ensure functionality, enhance user experience, and (with your consent) to analyze usage or for marketing purposes. Cookies are small text files stored on your device, and we categorize them as follows:

  • Essential Cookies: These cookies are necessary for the website to function properly and cannot be turned off (they do not require consent under GDPR/TTDSG, but we want you to know about them). For example, we use cookies to maintain your shopping cart session, to provide security (CSRF tokens, login session cookies), and to remember that you passed the age verification gate. Without these, basic e-commerce features would not work. We rely on GDPR Art. 6(1)(b) (contractual necessity) and Art. 6(1)(f) (legitimate interest in providing a functional, secure service) to use these cookies. Essential cookies do not track you for advertising purposes.

  • Analytics and Marketing Cookies (Optional): These cookies are not set unless you explicitly opt-in. They help us understand how our site is used or help us with marketing efforts. For instance, an analytics cookie might track which pages are most popular, or a marketing cookie might help us show you relevant ads on other platforms. We only use such cookies with your consent (GDPR Art. 6(1)(a)). When you first visit our site, you will see a cookie consent banner or pop-up that lets you choose which categories of cookies you accept. You can decline analytics/marketing cookies and still use our site; they will remain disabled. If you do consent, you can always change your mind later.

Cookie Management: You have control over cookie preferences at all times. You can use our cookie consent tool (the banner or settings on our website) to adjust which cookies are active. Additionally, most web browsers allow you to delete or block cookies. You can also configure browser settings to notify you when cookies are set, or to block third-party cookies. Please note that blocking certain cookies (especially essential ones) might impair some functionalities of our store (for example, the cart might not remember items if session cookies are blocked). We honor Do-Not-Track signals for analytics where feasible, and we do not set non-essential cookies unless you have opted in. For more details on specific cookies we use and their lifespans, please refer to our Cookie Settings page (if available) or contact us.

Data Retention

We keep personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal requirements. The retention periods vary depending on the type of data and purpose of processing:

  • Order and Transaction Records: We retain records of your purchases (invoices, receipts, transaction details) for 10 years. This extended period is required under German commercial and tax law (e.g. §147 AO – Fiscal Code) to retain books and records for ten years. Even if you delete your customer account, we must still keep invoice data in our offline archives until the legal retention period expires. After 10 years, such records are deleted or anonymized in a secure manner.

  • Customer Account Data: Information in your customer account (name, contact info, order history) is stored as long as you maintain an account with us. If you choose to delete your account or it remains inactive for an extended period, we will either delete or anonymize the personal data associated with it, provided we have no legal obligation to retain it. Certain elements of account data related to orders may be retained in our order records (as above) for legal compliance.

  • Payment Information: We do not store your sensitive payment details (like full credit card numbers) ourselves. Payment processors may store your payment data on our behalf (e.g. for recurring billing or refunds) according to their own retention obligations. We keep payment transaction records (e.g. that a certain transaction occurred) aligned with order records for up to 10 years, for accounting and fraud prevention purposes.

  • Server Logs: Raw web server logs (which include IP addresses and site activity data) are retained for a short period — currently, 14 days — in their identifiable form After this period, we either delete the logs or anonymize any personal identifiers within them. Anonymized logs (with no personal data) may be kept longer for statistical analysis and to improve our services. The short retention of identifiable logs balances our need for security auditing with respect for your privacy.

  • Analytics Data: If you have consented to analytics, the data collected (e.g. site usage statistics) is retained according to the tool’s settings and our configuration. For example, Google Analytics may retain aggregated website visit data for 14 months by default. We do not keep identifiable analytics data longer than necessary, and you can request deletion of any personal data that might be linked to analytics (though typically analytics data is aggregated and not directly linked to named individuals). If you withdraw consent for analytics/marketing, we will stop collecting new data immediately; we may still retain existing analytics logs for a limited time (or until scheduled deletion) but will not actively use them, and will purge them in accordance with our internal policies.

  • Communications: If you contact us (e.g. via email or contact form), we will retain your message and our response for as long as needed to address your inquiry, and for a short period thereafter in case of follow-up. Typically, routine customer service correspondence is kept for up to 1 year. If your communication relates to a transaction or legal matter, we may retain it as part of our contract records or legal files for longer if necessary.

  • Legal Requirements and Disputes: In addition to the above, we may retain data longer if needed to establish, exercise, or defend against legal claims. If a dispute arises or we receive a legal hold or preservation request, we will retain the relevant data until the issue is resolved. Also, where laws mandate a specific retention period (e.g., tax or employment laws), we keep the data for that period.

After the applicable retention period ends, we will either delete your personal data or anonymize it (so it can no longer be linked to you). We take care to ensure data is securely destroyed to prevent unauthorized access even at the end of its life. In summary, we do not keep personal data indefinitely by default – only as long as it is truly needed or required by law.

Your Rights as a Data Subject

As a user of our online shop and as a data subject under the GDPR, you have the following rights regarding your personal data:

  • Right of Access: You have the right to obtain confirmation of whether we are processing your personal data, and if so, to request a copy of the data we hold about you (commonly known as a data subject access request).

  • Right to Rectification: If any personal data we have about you is incorrect or incomplete, you have the right to request that we correct or update it without undue delay.

  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances. This is sometimes called the “right to be forgotten.” We will erase data upon request if we have no legal or legitimate reason to retain it. For example, you can ask us to delete your customer account and we will remove your personal details, provided we don’t need to keep some records for legal reasons (see Data Retention above for what we might need to keep).

  • Right to Restrict Processing: You can ask us to restrict (temporarily halt) the processing of your personal data under certain conditions. For instance, if you contest the accuracy of data or have objected to processing (see below), you can request restriction while we address your concern. During restriction, we will store your data securely and not use it except to the extent allowed by you or as necessary for legal reasons.

  • Right to Data Portability: For data that you have provided to us and which we process by automated means on the basis of your consent or to perform a contract, you have the right to receive that data in a structured, commonly used, machine-readable format and to transmit it to another service provider where technically feasible In practice, this might include basic account information or order details that you gave us, which we can export for you upon request.

  • Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests (Art. 6(1)(f) GDPR), including profiling based on those interests. You also have an unconditional right to object to your data being used for direct marketing purposes at any time. If you lodge an objection, we will review the processing and, unless we have compelling legitimate grounds to continue, we will stop processing the data in question. Where you object to marketing uses, we will cease such marketing for your data.

  • Right to Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing done before you withdrew, but it means we will stop the processing going forward. For example, you can opt out of analytics cookies by withdrawing consent in the cookie settings, or unsubscribe from our newsletter to withdraw consent for marketing emails. We have made it as easy to withdraw as it was to give consent.

  • Right to Lodge a Complaint: If you believe we have not complied with data protection laws, you have the right to file a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. For Beer of Satoshi, our lead supervisory authority in Germany is the Data Protection Authority of North Rhine-Westphalia (LDI NRW). You can contact the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen) which is the relevant DPA for our company. Their website is www.ldi.nrw.de. You also have the option to contact any other data protection supervisory authority within the EU. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – so please feel free to contact us with any issue, and we will do our best to resolve it.

Exercising Your Rights: You can exercise the above rights at any time by contacting us (see Data Controller and Contact Information section). For security, we may need to verify your identity before fulfilling certain requests (like access or deletion requests) – this is to ensure that we do not disclose or delete data at the request of an unauthorized person. We will respond to your inquiry as soon as possible, and at least within the timeframe required by law (generally within one month for most requests, extendable to two months if necessary with notice to you). There is no fee for making a request, unless it is manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse the request with explanation).

Security Measures

We take the security of your personal data very seriously. We implement a variety of technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption: All pages on our site are served over secure connections. We use industry-standard TLS 1.3 encryption (HTTPS) to encrypt data in transit between your browser and our servers. This means any personal information you submit (e.g. during account registration or checkout) is encrypted and cannot be easily intercepted by third parties. You can verify this by looking for the padlock icon in your browser’s address bar and the "https://" prefix in the URL.

  • Secure Payment Handling (PCI Compliance): We do not process or store credit card details on our own servers. All card payments are handled by Shopify/Stripe through Shopify Payments, or by PayPal, etc., who are PCI-DSS certified. Shopify is certified as a Level 1 PCI DSS compliant service provider (the highest level of payment data security). This compliance extends to our online store by virtue of using Shopify’s platform, ensuring that your payment information is handled with rigorous security standards. Similarly, PayPal and OpenNode have their own strict security and encryption protocols for payments. We regularly review these processors to ensure they meet security standards.

  • Access Controls & Principle of Least Privilege: We limit access to your personal data strictly to those employees and service providers who need it to perform their duties. Internally, staff access to administrative systems is role-based and follows the principle of least privilege – each person is given the minimum access necessary for their role, and nothing more. For example, our fulfillment team can see your name and address to ship your order, but they cannot access your payment details; our technical support can view account information to assist you, but they might not view your full payment history, etc. All access to personal data is logged and monitored. By minimizing who can access data, we reduce the risk of unauthorized disclosure.

  • Organizational Policies: Our personnel are trained in data protection and security best practices. We have internal policies in place to ensure confidentiality and to swiftly handle any potential security incident. Only authorized personnel (who are bound by confidentiality obligations) are permitted to handle personal data. We also require any subcontractors or partners to adhere to strict data protection standards.

  • Technical Protections: We employ firewalls, intrusion detection systems, and anti-malware protections on our IT infrastructure to guard against external attacks. The Shopify platform continuously updates and patches its software to address security vulnerabilities. We utilize secure coding practices in any custom development. Regular backups are performed to prevent data loss, and those backups are encrypted. Where feasible, personal data is pseudonymized or encrypted at rest for an added layer of security.

  • Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. Suspicious activities (like repeated failed logins or unusual traffic patterns) are investigated. We also periodically test our security measures – for instance, through security audits or penetration testing by qualified experts – to evaluate the strength of our safeguards and improve them as needed.

  • Data Minimization: Beyond protecting the data we have, we also practice data minimization as a security strategy. We only collect personal data that we truly need for the stated purposes, and we retain it only for as long as necessary (see Data Retention). By holding less data and discarding it when no longer needed, we reduce the amount of information that could be exposed in the unlikely event of a breach. This approach of “privacy by design and default” is in line with GDPR principles and helps keep your data safer.

Despite all these measures, no system can be 100% secure. However, we strive to keep our defenses updated with the latest security technologies and best practices. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will follow all applicable breach notification laws – including informing you and the relevant supervisory authority (DPA) as required.

Updates to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify users by posting a prominent notice on our site or by other appropriate means. The “last updated” date below indicates when this Policy was last revised. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.

Last updated: November 22, 2025.

[Any changes will become effective when posted to our website. Your continued use of the site after any update signifies your acceptance of the revised Policy.]

Contact Us: If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please do not hesitate to contact us at Beer of Satoshi GmbH (see address above) or via our customer support email/phone as listed on our website. We are here to help and value your privacy.